In this lab, we’re going to talk about vulnerability scanning, execute a couple of sweet scans, and talk about what they dredge up. But first, let’s talk about vulnerabilities.
A vulnerability is a weakness or flaw that could potentially permit undesirable actions on your assets (i.e., be exploited). Note the important caveat here: potential. A weakness or flaw requires the existence of a threat (source of harm) that might exploit it. Without a threat, a vulnerability is, in and of itself, inconsequential. And what happens when you have both a vulnerability and a threat? Well, now you have risk, the ultimate metric for assessing vulnerabilities in systems.
The degree of risk is factored based on your special knowledge of the environment (e.g., do compensatory security controls exist, and what impact would successful exploitation have?) and of the threats to its operations (do threats exist, and what is the likelihood of those threats exploiting this vulnerability?). Risk is the metric that ultimately governs which vulnerabilities require attention and in which order. Let’s do an analogy.
Consider you own an unlocked cabinet full of jewelry:
In the above case, the jewelry owner could lock the cabinet to remove the vulnerability, or they could move to a new neighborhood with a lower crime rate. The point is, vulnerability * threat = risk (not really multiplication, just alignment), and it’s the risk that you are ultimately concerned about. Either the threat or the vulnerability must be addressed to affect the risk it poses.
There are many types of vulnerabilities, including system or network misconfigurations, flaws in software or hardware, backdoors, and missing or weak credentials. In this lesson, you will inspect some common vulnerability types in your first analysis of a vulnerability report.
Okay, now you’re ready.
Vulnerability Scanning is an automated security assessment technique used to identify weaknesses and flaws in systems that could potentially be exploited by a malicious actor. The targets of a vulnerability scan are assets, which can be defined as any resources an individual or company considers valuable. These could be systems that are critical to business operations, or sensitive data you are obliged to safeguard on behalf of your customer and other stakeholders. Vulnerability scans can be used to assess the effectiveness of an organization’s existing security controls, identify weaknesses and apply corrective measures, or to check adherence to industry standards and regulations.
There are myriad vulnerability scanners available in the cybersecurity space, both free and enterprise. Among the most eminent in the field is Tenable’s Nessus, an enterprise tool with a wide variety of vulnerability tests and a platform for managing discovered vulnerabilities. Similar options include Rapid7’s Nexpose and Qualys, which provide comprehensive vulnerability scanning, as well as a platform for managing vulnerabilities. There are also many scanners that have special focuses, such as Burp Suite, OWASP’s ZAP Proxy, and Nuclei, which focus on web applications; Snyk, which focuses on addressing vulnerabilities in code; and Nikto, which aims to identify misconfigurations in web servers. There is no shortage of vulnerability scanning products out there, but in all cases the goal remains the same: identify vulnerabilities in your assets as a first step in determining the risks posed to an organization.
In this lab, you will use Greenbone’s OpenVAS (Open Vulnerability Assessment System), an open-source fork of Tenable’s Nessus product. You will access OpenVAS through the Greenbone Security Assistant, a web interface for Greenbone’s Vulnerability Management solution (GVM). You’ll start by reviewing a vulnerability report completed prior to your arrival. This scan was conducted on a server your company hosts in its DMZ (De-Militarized Zone), where it is exposed to the public Internet as customer-facing services. Generally, given its role as an externally available system, it has increased threat exposure, and therefore represents a greater risk than those internal systems tucked safely and completely behind your firewall.
Alright, enough preamble - log in to GSA and check out that report.